Legal claims defining the scope of protection, as filed with the USPTO.
1. A method comprising: receiving, by a processor, an unencrypted object that comprises plaintext and metadata that describes the plaintext; obtaining, by the processor, a data encryption key (DEK) and a nonce key for the unencrypted object, the nonce key different than the DEK; encrypting, by the processor, the unencrypted object, the encrypting comprising: generating a nonce based at least in part of the plaintext and the nonce key; and generating ciphertext and a metadata authentication tag comprising a signature of the metadata, the generating based at least in part on the plaintext, the metadata, the DEK, and the nonce; and creating an encrypted object that includes the ciphertext, the metadata, and the metadata authentication tag.
2. The method of claim 1 , wherein the nonce is generated once, and in response to the encrypted object being created the nonce is linked to the encrypted object via a pointer to the nonce in the encrypted object or linked to the encrypted object via inclusion of the nonce in the encrypted object.
3. The method of claim 1 , wherein the generating the nonce comprises executing a nonce encryption algorithm that takes as input the plaintext and the nonce key, and that outputs the nonce.
4. The method of claim 3 , wherein the nonce encryption algorithm is an Advanced Encryption Standard with Cipher-based Message Authentication Code (AES-CMAC) encryption algorithm.
5. The method of claim 1 , wherein the nonce key is created and linked to the DEK in response to the DEK being created.
6. The method of claim 1 , wherein a plurality of nonce keys correspond to the DEK and the nonce key is included in the plurality of nonce keys.
7. The method of claim 1 , wherein the encrypting the unencrypted object is performed using an Advanced Encryption Standard with Galois/Counter Mode (AES-GCM) encryption algorithm.
8. The method of claim 1 , further comprising: receiving, by the processor, a second ciphertext, the second ciphertext previously generated by encrypting a second plaintext based at least in part on the second plaintext, a second nonce, and a copy of the DEK; comparing the second ciphertext to the ciphertext; based on the second ciphertext matching the ciphertext, indicating that second plaintext matches the plaintext; and based on the second ciphertext not matching the ciphertext, indicating that the second plaintext does not match the plaintext.
9. The method of claim 8 , wherein the second nonce matches the nonce when the second plaintext matches the plaintext.
10. The method of claim 8 , wherein the comparing includes a database join operation between a first column in a first database and a second column in a second database.
11. The method of claim 1 , further comprising decrypting, by the processor, the encrypted object, the decrypting comprising executing a decryption algorithm that receives as input the DEK, the ciphertext, the metadata authentication tag, the metadata, the object, and the nonce, and that outputs the plaintext, the metadata, and an indicator of metadata validity.
12. A system comprising: one or more processors for executing computer readable instructions, the computer readable instructions controlling the one or more processors to perform operations comprising: receiving an unencrypted object that comprises plaintext and metadata that describes the plaintext; obtaining a data encryption key (DEK) and a nonce key for the unencrypted object, the nonce key different than the DEK; encrypting the unencrypted object, the encrypting comprising: generating a nonce based at least in part of the plaintext and the nonce key; and generating ciphertext and a metadata authentication tag comprising a signature of the metadata, the generating based at least in part on the plaintext, the metadata, the DEK, and the nonce; and creating an encrypted object that includes the ciphertext, the metadata, and the metadata authentication tag.
13. The system of claim 12 , wherein the nonce is generated once and in response to the encrypted object being created the nonce is linked to the encrypted object via a pointer to the nonce in the encrypted object or linked to the encrypted object via inclusion of the nonce in the encrypted object.
14. The system of claim 12 , wherein the generating the nonce comprises executing a nonce encryption algorithm that takes as input the plaintext and the nonce key, and that outputs the nonce.
15. The system of claim 14 , wherein the nonce encryption algorithm is an Advanced Encryption Standard with Cipher-based Message Authentication Code (AES-CMAC) encryption algorithm.
16. The system of claim 12 , wherein the nonce key is created and linked to the DEK in response to the DEK being created.
17. The system of claim 12 , wherein the encrypting the unencrypted object is performed using an Advanced Encryption Standard with Galois/Counter Mode (AES-GCM) encryption algorithm.
18. A computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to perform operations comprising: receiving an unencrypted object that comprises plaintext and metadata that describes the plaintext; obtaining a data encryption key (DEK) and a nonce key for the unencrypted object, the nonce key different than the DEK; encrypting the object, the encrypting comprising: generating a nonce based at least in part of the plaintext and the nonce key; and generating ciphertext and a metadata authentication tag comprising a signature of the metadata, the generating based at least in part on the plaintext, the metadata, the DEK, and the nonce; and creating an encrypted object that includes the ciphertext, the metadata, and the metadata authentication tag.
19. The computer program product of claim 18 , wherein the generating the nonce comprises executing a nonce encryption algorithm that takes as input the plaintext and the nonce key, and that outputs the nonce.
20. The computer program product of claim 18 , wherein the nonce key is created and linked to the DEK in response to the DEK being created.
Unknown
March 1, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.